Connectivity requirements

Overview

This page lists the connectivity requirements of every Nexthink product in the following sections. Some products allow you to use either a secure or a non-secure channel for specific services. Depending on their configuration, you may need to allow connections through a different port number.

Ensure your firewall has TCP port 443 open for your Nexthink instance URL pattern. The URL pattern can be one of the following:

  • <instance>.<region>.nexthink.cloud

  • <instance>.data.<region>.nexthink.cloud

URL pattern description:

  • <instance> The name of the Nexthink instance.

  • <region> The name of the localization of the instance:

    • us: United States.

    • eu: European Union.

    • pac: Asia-Pacific region.

    • meta: Middle East, Turkey, and Africa.

The following tables indicate the transport protocol for each connection. When an application protocol handles the connection over the transport layer, the application protocol name precedes the transport protocol name.

Web interface

Port numberProtocolDirectionReasonDomainAPI base URL

443

HTTPS / TCP

OUT

Access to the Nexthink web inteface

Nextink instance Fully Qualified Domain Name (FQDN) link pattern:

<instance>.<region>.nexthink.cloud

https://instance.api.region.nexthink.cloud

443

HTTPS / TCP

OUT

Access to the Nexthink web interface with SAML-based authentication

Nextink instance FQDN link pattern:

https://<instance>-login.<region>.nexthink.cloud

443

HTTPS / TCP

OUT

Access to the Nexthink web interface for the authentication

oktacdn.com

443

HTTPS / TCP

OUT

Access to Datadog Real User Monitoring; for more information on data processing, see Nexthink Data Processing Schedule

browser-intake-datadoghq.com

Collector

Port number

Protocol

Direction

Reason

443

WebSocket / TCP / HTTPS

OUT

Default communication channel to reach a Nexthink instance.

In addition, the Windows Collector calls a Windows API method once every 24 hours. The API method triggers a connection for the client to the domain controller operations through TCP port 135. Service responses use ephemeral TCP ports in the 49152-65535 range.

Nexthink users can export the results of their investigations using the export function. Each Nexthink user can perform one export at a time. Multiple users of the same Nexthink instance can run a maximum of five exports in parallel.

When a data export is finished, the link generated for the file to export is a pre-signed link to an Amazon Web Services (AWS) S3 bucket with a validity of 10 minutes. The link uses Amazon virtual-hosted-style, according to the following pattern:

Example link:

https://aris-export-eu-west-3-884848470805.s3.eu-west-3.amazonaws.com/a0e96b8f-1982-4764-8399-baadbdccd0a2/dsfd.csv?X-Amz-Security-Token=IQoJb[…]%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240307T045205Z&X-Amz-SignedHeaders=host&X-Amz-Expires=600&X-Amz-Credential=ASIAYYF2Y7N43YBPXMEP%2F20240307%2Feu-west-3%2Fs3%2Faws4_request&X-Amz-Signature=8e1bc4b788504c579c87c1e2e254e12227fbe006fc500cd53b3796030ebf208d

Description:

ColorValue and description

██

Constant part of URL that does not change

██

Region where Nexthink instance is located

██

AWS account

██

Unique export ID per request

██

Exported file name

██

Parameters for authentication added by AWS

This part of the URL is static for each request. Add this part to the permitted list of the firewall. In the following URL, change the region to the region of your tenant: https://aris-export-eu-west-3-884848470805.s3.eu-west-3.amazonaws.com

Data Enricher (classic)

Port numberProtocolDirectionReasonDomain

53

DNS / UDP

OUT

Resolving destination names by reverse IP

389

LDAP / TCP

OUT

Connection to Active Directory (AD); non-secure

443

HTTPS / TCP

OUT

Send AD and DNS data

agora.<reg>.nexthink.cloud Part <reg> is the availability region of the customer

636

LDAPS / TCP

OUT

Connection to AD; secure

Finder (classic)

Nexthink Finder is a Windows-only desktop application whose functionality is now available within the Nexthink web interface. Nexthink can now be used directly from a browser and most functions no longer require an additional desktop application.

Port numberProtocolDirectionReasonDomain

25

SMTP / TCP

OUT

Send email in case of errors

80

HTTP / TCP

OUT

Connection to the documentation website

doc.nexthink.com

80

HTTP / TCP

OUT

Verification of security certificates

ocsp.verisign.com

443

HTTPS / TCP

OUT

Connection to the documentation website

  • doc.nexthink.com

  • docs.nexthink.com

443

WebSocket / TCP

OUT

User connection to the web interface

Nexthink instance FQDN

443

HTTPS / TCP

OUT

Application installation and software updates

Nexthink instance FQDN

443

HTTPS / TCP

OUT

Support telemetry

alib.nexthink.com

443

HTTPS / TCP

OUT

Connection to Nexthink Library

library.nexthink.com

Engine (classic)

If rule-based Collector assignment is turned on, the TCP channel of Collector also connects to the Nexthink web interface. Collectors use this connection to ask for their assigned Engine (classic). Collector can no longer use a UDP channel to send end-user analytics to the Engine (classic).

Port numberProtocolDirectionReason

443

TCP

OUT

Send end-user analytics to the Engine (classic); coordination data and updates

Last updated